Methods of accessing and providing access to a remote resource from a data processing device

ABSTRACT

A method of accessing a remote resource ( 4 ) from a data processing device ( 2 ) includes obtaining a first URL corresponding to the remote resource ( 4 ), obtaining secret data corresponding to the first URL, using the secret data to generate an obscured URL at the data processing device ( 2 ), and accessing the remote resource using the obscured URL. This allows the user of the device ( 2 ) to see a first URL which is intelligible and provides useful information about the device, without sharing that information with the network. The obscured URL identifies the actual location of the remote resource and can be an unintelligible stream of digits or letters.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a continuation of U.S. application Ser. No.15/850,550 filed Dec. 21, 2017, which in turn is a continuation of U.S.application Ser. No. 15/315,686 filed Dec. 1, 2016, now U.S. Pat. No.9,887,970 issued Feb. 6, 2018, which is a National Phase entry of PCTApplication No. PCT/GB2015/051410, filed on May 13, 2015, which claimspriority to GB Patent Application No. 1409853.7, filed on Jun. 3, 2014,each of which is hereby fully incorporated herein by reference.

The present technique relates to the field of data processing. Moreparticularly, the technique relates to accessing, or providing accessto, a remote resource from a data processing device.

Cloud computing services are becoming more common. More and more devicesare being connected to the cloud, for example as part of the “Internetof Things”. For example, relatively small devices such as temperaturesensors, healthcare monitors and electronic door locks can be connectedto the cloud so that they can be accessed and controlled using remotesystems. For example, the door may be remotely opened from a remoteplatform, or data from a temperature sensor or healthcare monitor may beaggregated at a remote location and accessed from another device. Hence,there is an increasing amount of data being collected by cloud platformsand their providers.

However, there is also an increasing distrust of giving large companiessuch as the cloud provider data about an individual and the individual'sdevices. Currently, when data is provided to a cloud service then thereis little protection for the user's personal information. Nevertheless,cloud services are useful and so it is still desired to be able tointeract with other devices securely over the cloud. The presenttechnique seeks to provide a more secure method of accessing remoteresources from a data processing device.

Viewed from one aspect, the present technique provides a method ofaccessing a remote resource from a data processing device, the methodcomprising:

obtaining a first uniform resource locator (URL) corresponding to theremote resource;

obtaining secret data corresponding to the first URL;

generating an obscured URL at the data processing device using thesecret data corresponding to the first URL, wherein the obscured URL isfor obtaining the actual location of the remote resource; and

accessing the remote resource using the obscured URL.

The present technique recognizes that it is not just the data stored atremote resources that may contain personal or sensitive information. TheURL (uniform resource locator) from which the resource is accessed mayitself give away information. For example, a user may have a devicewhose URL includes information about the type, make, model, function orlocation of the device, or information about the user who owns thedevice. Similarly, a website may have a URL which may containinformation describing or hinting at the interests or details of theperson running the website. This means that often the informationincluded in the URL of the remote resource may be as interesting tocloud providers or “big data” aggregators as the actual data of theremote resource. In current cloud platforms, the URL of the remoteresource is open to all and visible to the cloud infrastructure (e.g.through requests sent to a server) and so potentially may lead to lossof private or sensitive information. To maintain privacy, it is possibleto use a URL which does not give any meaningful information, such as arandom string of characters, but this makes it harder for the resourceto be accessed by both the person managing the resource and other users,since a random string of characters is difficult to remember.

The method of the present technique obtains a first URL corresponding tothe remote resource and secret data associated with the first URL. Thefirst URL may be an intuitive URL with descriptive data about what thedata at the remote resource means. The first URL may be obtained invarious ways, such as by the user of the device typing a URL, byclicking a link from an email or other website, or by the deviceaccessing a previously stored URL or a URL permanently embedded in thedevice. Using the secret data, the data processing device then generatesan obscured URL for obtaining the actual location of the remoteresource. The obscured URL is then used to access the remote resource.

Hence, the actual location of the remote resource is identified by theobscured URL, which may be any random string of characters (e.g.http://domain/a18b828f829e9 . . . ) which does not give away anypersonal information about the user or the user's devices. From thepoint of view of the cloud infrastructure, servers, and cloud providingor “big data” aggregating companies, the remote resource may beidentified solely by the obscured URL, so that the URL does not giveaway sensitive information. Nevertheless, the first URL may be used bythe data processing device to identify the remote resource. The firstURL may be a more natural looking URL (e.g.http://domain/health/alicesmith/bloodpressure/ . . . ) which has astructure which allows authorized users of the remote resource tointuitively understand what the data at a particular URL represents andhow the URL relates to other URLs, for example. The secret data allowsthe first URL to be mapped to the corresponding obscured URL at the dataprocessing device so that the first URL need not be known to the networkinfrastructure.

The remote resource may correspond to any data or device accessedremotely by the data processing device. For example, the remote resourcemay comprise a data processing device or embedded system which can becontrolled remotely from another platform; a remote computer, contentaggregator, server or cloud platform which receives data posted by thedata processing device; or a website or server accessed from the dataprocessing device. The access to the remote resource may include writingdata to the remote resource, reading data from the remote resource,and/or instructing a device associated with the remote resource to carryout an action, for example.

Data at the remote resource may be encrypted. For example, any data sentfrom the data processing device to the remote resource may be encryptedusing an encryption key included with the secret data for the first URL.This means that both the URL identifying the remote resource and thedata at the remote resource are obscured so that the networkinfrastructure or cloud operators have no visibility of any sensitiveinformation associated with the resource. If the obscured URL isgenerated using a secret key, then the same key may be used forencrypting the data and generating the obscured URL, or different keysmay be provided for generating the obscured URL and encrypted datarespectively. Keys for encryption may be maintained locally at thedevice or obtained from another location.

In general, the first URL may be visible to a user of the dataprocessing device. That is, the first URL may be the URL used by theuser to identify the remote resource. However, the first URL does notnecessarily need to be displayed on the data processing device itself.For example, a temperature sensor within a home heating system may beconnected to the cloud so that temperature data can be posted to aremote resource identified by the obscured URL, but may not have adisplay on which the user can see the first URL. The user may havevisibility of the first URL through a separate device such as a localheating controller within the user's home which communicates with thetemperature sensor via wireless signals for example.

In many cases, the first URL may not identify any actual location of aremote resource on the network. Hence, if a device which cannot generatethe obscured URL (e.g. it does not have the secret data for the firstURL) tries to access the first URL, then the access will fail. Forexample, an http 404 error message may arise because the resourceidentified by the first URL cannot be found. By not providing any reallocation on the network corresponding to the first URL, security can bemaintained.

It is also possible for the first URL to identify a real networklocation, but which corresponds to a different remote resource to theone accessed using the obscured URL, or to the same remote resource asthe obscured URL. For example, different versions of content may beprovided depending on whether the user has the secret key allowing theobscured URL to be generated. Also, in some cases the remote resourcecorresponding to the first URL may already be online identified by thefirst URL. For example, a legacy website designed without the use of thepresent technique may already have a URL containing intuitiveinformation. If the legacy resource was suddenly moved to the locationof the obscured URL to improve privacy/security, then the resourcemanager may lose users or customers who cannot find the old resourceanymore. Therefore, it may be useful for the transition to the presenttechnique to be made more gradually. At first, the legacy resource atthe first URL may operate in parallel with the more secure resource atthe obscured URL, so that the first URL will for a period correspond toa real network location. Once enough users/devices have been providedwith the secret data which allows them to locate the obscured URL, thelegacy resource can then be taken offline, at which point the first URLwill no longer point to a real location.

It is desirable that the generation of the obscured URL from the secretdata is such that the first URL cannot be obtained from the obscured URLusing the secret data. That is, the secret data may contain enoughinformation to allow the data processing device to generate the obscuredURL corresponding to the first URL, but not enough information for aparty to obtain the first URL from the obscured URL.

In some cases, the obscured URL may be generated by transforming thefirst URL into the obscured URL using the secret data. For example, thesecret data may include a secret key and the obscured URL can begenerated by encrypting the first URL using the key. For example, aone-way transformation, such as md5 or one of the SHA (Secure HashAlgorithm) family of transformations, may be used to hash the first URLbased on a secret string contained in the secret data. Even if someonehas the obscured URL and the secret string, it is not possible for themto determine the first URL used to generate the obscured URL.

It is also possible to generate the obscured URL based on informationincluded in the secret data. The generation of the obscured URL may beindependent of the particular character values of the first URL, i.e.the obscured URL is not a transformation of the first URL, but may bebased solely on information included in the secret data. In this case,an attempt to access the first URL may trigger the obscured URL to begenerated, but the first URL itself is not an input for the obscured URLgeneration. For example, the secret data could include the obscured URLitself, so that no transformation is required. Alternatively, the secretdata could include one or more secret strings or values which can betransformed into the obscured URL. Either way, even if someone has theobscured URL and the secret data, this does not provide any informationabout the first URL.

Also, in some cases the secret data may be part of the first URL itself(e.g. a code or string of characters within the first URL), and theobscured URL may be generated by applying a hash or other transformationto the first URL. Also, the secret data may be data defining a hashalgorithm to be applied to the first URL to generate the obscured URL.The secret data may be held locally by the device or may be obtainedfrom a website or other remote resource.

Different data processing devices may be allocated different secret datacorresponding to the same first URL. Therefore, when the differentdevices access the same first URL, this is mapped to different obscuredURLs using the different secret data, so that different remote resourcesare accessed by the respective devices. This is very useful for allowingdifferent content, or different representations of the same content, tobe provided to different users or groups of users. Each user or groupmay use the same first URL and so may not be aware that they are given adifferent view of content to other users. The different obscured URLsmay correspond to entirely different resources, or to different parts orsubsets of a common remote resource. For example, it may be desirable togive some groups of users access to the entire resource, while othergroups of users can only see selected sections of resource. Also, someusers may be able to see high resolution data (e.g. full-size images ortime series data sampled often) with other users seeing lower resolutiondata (e.g. compressed images or time series data sampled lessfrequently).

The obscured URL may identify the actual location of the remote resourceto be accessed. Hence, once the obscured URL has been generated, thedata processing device can simply access the location identified by theobscured URL.

However, if different versions of resource need to be made accessible todifferent users or groups of users, this approach may not be efficientas the resource manager may need to maintain multiple copies of data atdifferent URLs, increasing the overhead associated with updating ormaintaining the resource.

Therefore, it can be more efficient for the obscured URL to identify thelocation of a key node resource including data for obtaining a resourceURL identifying the remote resource itself. Hence, the secret data mapsthe first URL to a corresponding obscured URL, which is used to accessthe key node resource. The key node resource then gives further dataredirecting the device to the resource URL of the remote resource. Thedata at the key node resource may include the resource URL itself, datafor calculating the resource URL, or data identifying another remotelocation from which the resource URL may be obtained, for example.Hence, if different representations of the resource are required fordifferent users, each user can be provided with a different key noderesource, but the different key nodes may direct the user to a commonresource URL so that it is not necessary to maintain multiple versionsof the remote resource itself. As for the obscured URL, the resource URLmay also be a non-intelligible URL which does not contain sensitiveinformation.

The key node resource may include information for decrypting data at theremote resource.

The key node resources can also simplify revocation of access toresources by users or groups of users. If the obscured URL directlyidentifies the remote resource, revoking a user's access may require theremote resource to be moved to a new location and new secret dataprovided to other users who need to continue accessing the resource toallow those users to generate the new obscured URL. This is a relativelycomplex operation.

A more efficient approach may be to provide key node resourcesidentified by the obscured URLs generated using the different secretdata for each user. To revoke access to a user or an entire group ofusers, the key node resource for that user or group of users is simplyremoved. This means that if the revoked user or a user of the revokedgroup attempts to access the remote resource, the obscured URL generatedwith the corresponding secret data will no longer map to a real locationand so the access will fail preventing the real URL of the resourcebeing accessed. This avoids the need to relocate the resource itself orto redistribute new secrets to authorized users.

The key node resources also simplify revocation of access to a resourcefor a selected user within a group while maintaining access to theresource for the rest of the group. This can be done by generating newgroup secret data for the selected group of users, providing access tothe new secret data to the users of the group other than the selecteduser, creating a new key node resource identified by a new obscured URLgenerated using the new group secret data, the new key node resourcecomprising data for obtaining the resource URL of the remote resource,and making inaccessible the key node resource previously correspondingto the selected group of users. This means that the selected user whodoes not have the new secret data will not successfully reach a key noderesource which allows access to a remote resource.

The secret data may be stored locally at the data processing device, orobtained from another location. The secret data may be referred to belowas the “site secret” or “secret”.

The same secret may be used for accessing more than one remote resource(e.g. a party may provide a single secret for accessing all URLsmaintained by that party). Hence, when a device encounters a new URL, anew secret may also be supplied, but this is not essential since thedevice may already be in possession of a secret suitable for use withthat URL.

The data processing device may be able to access multiple secretscorresponding to the same resource. For example, there may be differenttypes of access permitted for different classes of user, and a singleuser may belong to several overlapping classes. For example a user mayhave a personal secret as well as a group secret corresponding to agroup of users of which the user is a member and/or a generic secretwhich can be used by anyone. Multiple secrets may be stored locally atthe data processing device.

An expansion URL can be provided to the data processing device (forexample as part of the secret data for the first URL) identifying alocation from which further secret data can be obtained. Using theexpansion URL simplifies the distribution of group secrets, allowingsecrets to be changed without having to directly contact each member ofthe group for example.

The data processing device can then attempt accesses to differentobscured URLs generated with each of the secrets. In some cases the dataprocessing device may try accessing one obscured URL, and if that doesnot succeed, try another obscured URL generated using a differentsecret, and continue trying until an access is successful or all of thesecrets have been tried. For example, the secrets may have apredetermined secret hierarchy setting an order in which the dataprocessing device should attempt to access the obscured URLs. Forexample, a personal secret may take precedence, followed by at least onegroup secret and then a generic secret. Alternatively, to improveperformance the data processing device may attempt accesses to severaldevices simultaneously on the expectation that some accesses may fail(this may be faster than trying each in sequence). A similar hierarchyof secrets may determine which secret should be prioritized if multipleaccesses are successful.

In some cases the secret key provided to the data processing device mayhave associated conditions for determining whether access to the remoteresource may be granted using the secret data. For example, a secretscope may be defined identifying a domain, sub-domain, folder, orspecified part of a site or collection of resources, for which thesecret applies. In this case, accesses using the secret may fail if theyare not within the scope parameter. The resource accessed using aparticular secret may correspond to only part of an overall website orcollection of resources, and other secrets may be required for otherparts of the remote resource. Another example of an access conditionincluded in the secret data may be a time constraint, so that the remoteresource may only be accessed successfully within a specified timewindow or period. Data stored at the remote resource or transactionssent to the resource may be cached at network nodes between the dataprocessing device and the remote resource. For example, writetransactions for writing data to the resource may be cached as theytravel up the network. Since both the data and the URL of the remoteresource can be made anonymous using the present technique, then thisremoves any risk of loss of privacy when the data is held by thirdparties. This frees up options for caching the data or transactions forthe remote resource in multiple places, which can be very useful forperformance or reliability reasons. For example, even if the remoteresource itself is not available (e.g. a device may operate in apower-saving state most of the time and may only wake up periodically),its data may be read from a cache or proxy so that it is not necessaryto wait for the resource to become available again. Also, if the datafrom the resource is available in multiple places then on accessing itthe data can be obtained from the location with the lowest expectedtransaction cost (which may be determined based on time or energy forexample). Similarly, when transactions are sent for the remote resource,and there are multiple communication channels available for atransaction then the channel with the lowest associated cost can beselected (e.g. one of Bluetooth, WiFi, 3G or wired connections may beselected).

Data and transactions may also be proxied at boundaries betweendifferent protocols (e.g. HTTP and COAP) or different communicationmediums (e.g. Bluetooth and WiFi). If the data processing device and thedevice associated with the remote resource communicate using differentprotocols or mediums, a translating proxy (e.g. a router) may bridge thegap between them without loss of security/privacy.

The data processing device itself, or an intermediate network nodebetween the data processing device and the remote resource, may have atransaction queue for queuing transactions to be sent to a deviceassociated with the remote resource. The device associated with a remoteresource may in some cases be the device providing the remote resourceitself or may be another device which controls the remote resource. Thedevice associated with the remote resource may pull the transactionsfrom the transaction queue when it is ready to process the transactions.The transactions in the transaction queue may be encrypted to maintainsecurity. The transaction queue is useful because it allows the dataprocessing device and the device associated with the remote resource tocommunicate asynchronously. Even if the data processing device anddevice associated with the remote resource are not simultaneously in anactive state, the data processing device can post transactions to thequeue and the device associated with the remote resource can pull thetransaction from the queue when it next wakes up.

Some devices may function both as a data processing device for accessinga remote resource and a device associated with a remote resource to beaccessed by another device.

When instructing a specified operation to be performed using the remoteresource, the data processing device may have to prove its identity, sothat unauthorized devices cannot control the remote resource ininappropriate ways. Therefore, the data processing device may have, orbe able to obtain, authentication information for verifying that thedata processing has the right to instruct the specified operation to beperformed using the remote resource. The authentication information mayfor example include a certificate and/or a public key associated withthe data processing device which verifies the identity of the devicesending the transaction. When receiving a transaction the deviceassociated with the remote resource can then check the authenticationinformation and verify whether the specified operation is allowed to beperformed.

The authentication information may specify validity informationspecifying when the authentication information is valid (e.g. theauthentication information's validity may expire at the end of a giventime period). Also, the authentication information may define permissioninformation specifying which operations are allowed to be instructed bythe data processing device. This allows different access rights to begranted for different operations using the resource. For example, adevice may be allowed to read data but not write.

In some cases the authentication information may be obtained by thedevice associated with the resource from an authentication URL specifiedin the transaction sent from the data processing device. Hence, the dataprocessing device need not provide the authentication informationitself, but may specify a location from which the authenticationinformation can be maintained. For example, the authentication URL maybelong to a certificate issuing authority. This approach makes it easierfor relatively small data processing devices to control the remoteresource, since it is not necessary for the data processing device totransmit certificates or other authentication information.

In some cases the authentication URL may be a URL identifying the dataprocessing device itself, or may identify a different location.

The authentication URL may have a fingerprint portion which is generatedusing at least part of the authentication information held by the dataprocessing device. This means that a device issuing a transaction forthe remote resource can only succeed if it already has access to theauthentication information, otherwise it will not be able to direct thedevice associated with the remote resource to the correct authenticationURL for the authentication information. For example, the fingerprint maybe a hash of part of the certificate of the authentication information,or a value encrypted using the public key. The fingerprint providesassurance that the correct version of the authentication information hasbeen provided and has not been modified since it was authored. Forexample, if a party's website domain gets transferred to someone else,they cannot post a valid new version of“https://my-site/certs/geraint/12b274a” because the fingerprint will notmatch.

In some cases, there may be a chain of authentication informationrequired to verify that a device is authorized to control the remoteresource. For example, one certifying authority may certify anotherauthority to issue certificates, and so parties authorized by the secondauthority may need to cite the certificates issued by both certificateauthorities in order to be verified. In this case, the authenticationURL fingerprint may be derived from each piece of authenticationinformation in the chain, to ensure that only someone having all thelinks of the chain can be authenticated for controlling the resource.

The device associated with the remote resource may obtain theauthentication information from the authentication URL via a differentcommunication channel to the communication channel used to transmit thetransaction. For instance, the data processing device may issue atransaction to a door device (acting as remote resource) by submitting atransaction over one channel (e.g. Bluetooth). The data processingdevice may cite the authentication URL in the transaction (e.g.https://abc.xyz.com/ufO7ZxhqJRwpI) so that the door device can obtainthe authentication credentials. However, obtaining these credentialsover Bluetooth from the device to the door in this way may beinefficient, slow or otherwise undesirable, so instead the door may usessome other unrelated route (e.g. house router, or a wired connection) tofetch the credentials.

The authentication information of the data processing device may becached by at least one network node. The device associated with theremote resource can use the cached authentication information to verifythat the data processing device has the right to instruct the specifiedoperation to be performed using the remote resource. This allowsauthentication credentials to be obtained more quickly than if theyalways had to be sourced from the authentication URL. The node whichcaches the authentication information may belong to a different party tothe party operating the authentication URL and the user of the dataprocessing device.

The authentication information may separately define validityinformation specifying a time period when the authentication informationis valid and cacheability information specifying a time period when theauthentication information can be cached in the network. Thecacheability information may specify a shorter period for caching thanthe period set in the validity information. This means that cachedcopies of the authentication information are discarded periodicallywhile the authentication information remains valid, so that theauthentication credentials will then need to be resourced from theoriginal authentication URL.

Access to a particular user can then be revoked easily by removing theauthentication credentials for that user from the authentication URL. Incontrast, if no limit on cached copies was set, then to revoke the rightto control the remote resource one may need to set a shorter validityperiod, so that there is more management overhead in generating newauthentication information and making this available to authorized usersmore frequently. Hence, the cacheability information helps to makemanagement of authentication information more efficient.

Similarly, separate validity and cacheability information may also bedefined for other cached resources. For example, a long lived piece ofdata, such as a device address, may also benefit from separatecacheability and validity periods to allow for revocation of access morefrequently than new versions of the data are generated.

The periods specified by the validity information and the cacheabilityinformation may be any specified time or usage conditions. For example,the periods may be specified in seconds, minutes, hours, days, weeks,months, years, etc. The periods may have defined start and endtimes/dates/years or may only have an expiry time/date. The periods mayalso include non-continuous periods such as “every Monday until acertain date”. Also, the periods may be based on the number of times theauthentication information is used, rather than a time period (forexample, valid for 100 accesses, cached copies discarded after 10accesses).

The present technique may be implemented using at least one computerprogram executed by at least one device which controls the at least onedevice to perform the method as discussed above. The at least oneprogram may be stored on at least one computer readable storage medium,which may be for example a non-transitory storage medium.

Viewed from another aspect, the present technique provides a dataprocessing device comprising:

processing circuitry configured to perform data processing; and

communication circuitry configured to access a remote resource;

wherein the processing circuitry is configured to:

(a) obtain a first uniform resource locator (URL) corresponding to theremote resource and obtain secret data corresponding to the first URL;

(b) generate an obscured URL using the secret data corresponding to thefirst URL, wherein the obscured URL is for obtaining the actual locationof the remote resource; and

(c) control the communication circuitry to access the remote resourceusing the obscured URL.

Viewed from a further aspect, the present technique provides a dataprocessing device comprising:

processing means for performing data processing; and

communication means for accessing a remote resource;

wherein the processing means is configured to:

(a) obtain a first uniform resource locator (URL) corresponding to theremote resource and obtain secret data corresponding to the first URL;

(b) generate an obscured URL using the secret data corresponding to thefirst URL, wherein the obscured URL is for obtaining the actual locationof the remote resource; and

(c) control the communication means to access the remote resource usingthe obscured URL.

Viewed from a further aspect, the present technique provides a method ofproviding a data processing device with access to a remote resourcewhose actual location is identified by a resource uniform resourcelocator (URL), the method comprising:

generating secret data corresponding to a user of the data processingdevice;

generating an obscured URL using the secret data corresponding to theuser;

storing data for obtaining the resource URL to a location identified bythe obscured URL; and

providing the data processing device with (i) a first URL foridentifying the remote resource to the user and (ii) the secret data forobtaining the obscured URL.

In a corresponding manner to the technique discussed above, a contentauthor or party managing a remote resource may provide access to theresource for another user by generating secret data and obscured URL forthe user, establishing a key node resource at the obscured URL to allowthe user to obtain data for obtaining the actual resource URL, andprovide the user's device with the first URL which the user can use torefer to the resource and the secret data for obtaining the obscuredURL. By providing different users with different secret data anddifferent obscured URLs, this allows the content author to provide userspecific representations of content for each user.

Viewed from another aspect, the present technique provides a dataprocessing device comprising:

processing circuitry configured to perform data processing; and

communication circuitry configured to access remote locations;

wherein the processing circuitry is configured to:

(a) generate secret data corresponding to a user of a data processingdevice to be provided with access to a remote resource whose actuallocation is identified by a resource uniform resource locator (URL);

(b) generate an obscured URL using the secret data corresponding to theuser; and

(c) control the communication circuitry to store data for obtaining theresource URL to a location identified by the obscured URL, and toprovide the data processing device with (i) a first URL for identifyingthe remote resource to the user and (ii) the secret data for obtainingthe obscured URL.

Viewed from a further aspect, the present technique provides a dataprocessing device comprising:

processing means for performing data processing; and

communication means for accessing remote locations;

wherein the processing means is configured to:

(a) generate secret data corresponding to a user of a data processingdevice to be provided with access to a remote resource whose actuallocation is identified by a resource uniform resource locator (URL);

(b) generate an obscured URL using the secret data corresponding to theuser; and

(c) control the communication means to store data for obtaining theresource URL to a location identified by the obscured URL, and toprovide the data processing device with (i) a first URL for identifyingthe remote resource to the user and (ii) the secret data for obtainingthe obscured URL.

Further aspects and features of the present technique will be apparentfrom the following examples which are to be read in conjunction withaccompanying drawings.

FIG. 1 illustrates an example of a data processing device accessing aremote resource;

FIG. 2 illustrates an example of a site secret for the remote resource;

FIG. 3 illustrates an example of accessing the resource at an obscuredURL generated using the site secret;

FIG. 4 illustrates a method of accessing a remote resource;

FIG. 5 shows an example where the obscured URL identifies a key noderesource which contains data for providing the URL of the remoteresource;

FIG. 6 illustrates a method of providing a data processing device withaccess to a remote resource;

FIG. 7 illustrates an example of using an expansion URL to obtaindifferent site secrets for accessing the resource;

FIG. 8 shows an example of revoking a user's membership of a groupallowed to access a remote resource;

FIG. 9 shows an example of providing different site secrets foraccessing different resources corresponding to parts of the same site orcollection of resources;

FIGS. 10A to 10D illustrate a method of transitioning a legacy resourceto a more secure resource using obscured URLs;

FIG. 11 shows an example of a network in which data and transactions forremote locations may be cached at nodes of the network;

FIG. 12 shows an example of obtaining authentication information forverifying that a device is authorized to instruct an action to beperformed at the remote resource.

FIG. 1 illustrates an example of a data processing device 2 accessing aremote resource 4 in the cloud when the present technique is notapplied. For example, the data processing device 2 may be a health caremonitor which monitors various parameters related to the user's health,such as heart rate, blood sugar level, temperature, etc. The monitoreddata is provided to a cloud service, such as a platform provided by ahealthcare provider which can analyze the user's health data and flaghealth problems detected using the data. The data is posted to a remotelocation identified by a URL (e.g. /data/health/summaries). However, theURLs used by devices and users often contain intuitive informationidentifying the user, their device 2, or the purpose of the data, sothat the URL can easily be remembered or understood by the user of thedevice 2. Therefore, the URL may often contain sensitive or personalinformation, such as the user's name or location, the device's make,model, type, or location, or information about the meaning of the dataprovided by the device. Therefore, the cloud provider, an internetinfrastructure operator or other parties may be able to derive personalinformation from the URL even if the data stored at the URL isencrypted. There is an increasing distrust in allowing companies toaccess such information.

To address this issue, the data processing device may be provided withsecret information as shown in FIG. 2. This secret information iscollectively referred to as a “site secret”. The site secret is providedfor a particular URL (“first URL”) and for a particular user or device.The user/device can use the first URL to identify the remote resource.However, the first URL does not identify the actual location of theremote resource. The site secret is for mapping the first URL to adifferent obscured URL which is used to find the actual location of theremote resource. In this way, there is no need for network operators orcloud providers to see an intuitive URL, as only the obscured URL needsto be exposed to the network. Nevertheless, the user can still use anice intuitive URL to make interaction with the resource moreconvenient.

As shown in FIG. 2, the site secret includes a scope which specifies theremote resources to which the site secret applies. In this example, thescope portion indicates the paths or subpaths of the resources to whichthe site secret applies. In this example, the site secret applies to thepath “/data”. Implicitly, the site secret may also apply to all subpathsof the path indicated in the scope. Hence, accesses to resources notwithin the specified path (including subpaths) may not succeed. In otherexamples, the scope may specify further conditions which must be met inorder for an access to be successful (e.g. time based or use basedconditions).

The site secret also includes URL encoding information which specifieshow to generate the obscured URL of the resource. In this example, theURL encoding information includes a secret string to be used as a keyfor transforming the first URL into the obscured URL, data defining atransformation to use for generating an encoded string for the obscuredURL (e.g. SHA256 in this example) and a template URL into which theencoded string can be inserted to form the obscured URL. SHA256 is aone-way transformation which means that even if the secret string (key)is known, it is not possible to use the key to transform the obscuredURL back into the first URL. Other transformations may also be used(e.g. md5, other SHA algorithms, CRC32). In this example, the templateis “/data/{hex:22}”, which means that a 22-character truncated stringgenerated based on the SHA256 algorithm is inserted into the template tocreate the obscured URL. The string to be inserted into the template maybe a truncated version of the actual result of the transformation (it isnot essential to use all bits of the encoded string in the URL). Inother examples the full string generated by the hash algorithm may beused.

The site secret also includes content encoding information defining howto encode document content or transactions to be sent to the remoteresource. Another secret string may be used as a key for encoding thecontent, e.g. using the AES192 algorithm as shown in FIG. 2.

Hence, as shown in FIG. 3, instead of posting content in the clear tothe first URL, the healthcare device 2 may post encrypted content to anobscured URL, so that both the content and the URL corresponds to anunintelligible string of characters which does not give away anysensitive information.

FIG. 4 illustrates a method of accessing a remote resource from a dataprocessing device 2. At step 10, a first URL corresponding to the remoteresource is obtained by the data processing device 2. The first URL maybe obtained, for example, by the user typing in a URL into a browser,the user clicking a link in an email or website, reading a pre-storedURL, or accessing a fixed URL permanently embedded into the device atmanufacture, or in any other way. At step 12, the site secretcorresponding to the first URL is obtained, and used to generate anobscured URL. At step 14, the remote resource is accessed using theobscured URL. Hence, this approach allows devices to serve data and beaccessed remotely without giving away information in the URL of thedevice.

The data processing device 2 may be any processing device which needs toaccess a remote resource. The present technique is particularly usefulfor small scale devices such as sensors, controllers or wireless nodesin the cloud. In some cases, the data associated with the remoteresource may be served from the resource itself such as a temperaturesensor, or healthcare device. In this case the device itself may beidentified by the obscured URL. Alternatively, such resources may begiven a cloud address for high availability which is then accessed froma separate server corresponding to the resource device.

For privacy, it is preferable that the first URL does not correspond toany real location within the cloud. This means that the first URL iscompletely invisible to network operators and cloud providers. However,in some cases the first URL may also map to a real location on thenetwork, for example when converting a legacy site to a new site asdiscussed below with respect to FIGS. 10A to 10D. Also, in some casesthe first URL may identify a location with different content to theremote resource identified using the obscured URL.

FIGS. 2 and 3 show an example in which the obscured URL is generated bytransforming the first URL using a transformation algorithm such asSHA256. However, it is also possible to generate the obscured URL inother ways. For example, rather than providing a separate site secretincluding a key for scrambling the URL, the secret data may instead beincluded in the first URL, with different users provided with differentsecret data. For example, a first URLhttp://meriac.com/pips/this/is/my/tv?secret=4567 may include secret data4567 for a particular user or group of users. The device 2 may hash thisURL using a predetermined algorithm (e.g. CRC32 or SHA256) to generate asecret string “9677BE35” so that the obscured URL becomeshttp://meriac.com/pips/9677BE35. In general, the secret data may be anydata which provides information for generating the obscured URL whichshould be accessed instead of the first URL.

In some cases, a third party plugin or website-frame work may be used togenerate the obscured URL. For example, a Party A may create a pluginthat hashes URLs into node IDs (obscured URLs). The plugin does notunderstand the concept of having a URL secret, but can decrypt andverify URL file payloads. Another Party B may provide a Website-Framework that contains a java-script-include on each page that takes apre-defined URL-parameter (let's call it “secret”) and rewritesdynamically URLs of subsequent page requests of images and other contentlinked on the page. Another Party C (e.g. a content author) publishes alink to http://C.com/site.html?secret=xyz to a user D and a linkhttp://C.com/site.html?secret=abc to a user E (plus individual keys K(D)and K(E)), and authors user-specific key nodes (see below) for theindividually personalized URLs. Hence, in this example the secret datafor each user is included in the first URL itself.

The user D of the end device 2 then visits site C, and the plugin Aperforms secret-less hashing of http://C.com/site.html?secret=xyz intohttp://C.com/45c2d52c8b514a01. The plugin A performs decryption offetched content from this URL using K(D). The user's browser executesthe embedded JavaScript framework in site C, which rewrites all URLs inthe page by appending the secret=xyz parameter. Pages or resourcesfetched by the browser are then intercepted by the browser plugin A andhashed without additional secrets. For user E, the process may besimilar to user D, but with a different entry link.

It is possible to provide site secrets which can be used for multipledifferent remote resources. For example, a particular party may providea site secret which can be used by a user to access resources from arange of locations managed by that party. Hence, one secret may cover awhole range of URLs, and when encountering a new URL, the dataprocessing device may already be in possession of a secret suitable foruse with that URL and so may not need to acquire a new site secret.

The obscured URL may be obtained by the device 2 in different ways. Forexample, the generation of the obscured URL may be implemented usingembedded functionality within the device, using code which is part of abrowser or other software executed by the device 2, or using a browserplugin, applet or javascript obtained from a third party.

It is possible for the obscured URL generated using the first URL toidentify the location of the remote resource itself. However, it may bedesirable to provide different users with different versions of contentor access to different resources. To maintain security and the abilityto individually control the access to different users, it can be usefulto provide each user with a different site secret mapping to a differentobscured URL. However, if each obscured URL actually contained theremote resource itself, it would be difficult and time consuming tomaintain many different copies of the same remote resource for each userat different URLs.

FIG. 5 shows how different representations of the same resource can bemanaged more efficiently using key node resources. As shown in FIG. 5,the obscured (encrypted) URL generated using the site secret for a givendevice may identify the location of a key node resource K0-K2 which doesnot store the actual remote resource. Each key node resource K0-K2contains data for obtaining the actual resource URL of the remoteresource. This means that different users can be provided with access todifferent parts of the remote resource by specifying different resourceURLs at the key nodes (or by specifying the same resource URL but withdifferent pieces of associated information identifying which parts ofthe URL are accessible). For example, in FIG. 5 the users of devices D1and D2 access key nodes K1 and K2 respectively to obtain resource URL 1(e.g. http://abc.com/data/18659458.php) which gives them access to theentire remote resource. However, a user of device D0 obtains resourceURL 0 from key node K0 (e.g. http://abc.com/data/58159873.php) whichonly allows them to access a subset of the remote resource. Hence, thedifferent resource URLs provided by each key node may correspond tooverlapping parts or subsets of the remote resource. In other examplesthe resource URLs provided by different key nodes may correspond todifferent remote resources entirely.

This approach allows different representations of the data to beprovided to different users. For example, the different representationsprovided for the remote resource may provide different types of content,different content quality (e.g. full images or compressed images),different granularity of access to content (e.g. time series datasampled at hourly increments or daily increments), or different subsetsof data available to users. Each user may use the same first URL, and somay not be aware that other users have different access to data or thatthere are multiple representations of data being provided by the remoteresource. The access to the different forms of the resource iscontrolled by providing different site secrets for each user, whichcause the first URL to be mapped to different obscured URLs.

The key nodes K0-K2 may also store data for decrypting content at theresource URL. This means that only authorized users who havesuccessfully located a key node for the resource can obtain thedecryption key for decrypting the content.

The use of key nodes K0 to K2 as shown in FIG. 5 is also useful sincedifferent users can be granted and/or revoked access to the remoteresource by simply manipulating the key node resources without modifyingthe remote resource in any way.

For example, FIG. 6 shows a method of providing a user of a dataprocessing device 2 with access to the remote resource. The method canbe performed by a data processing apparatus for a content author orparty managing the remote resource. At step 20, a new site secret isgenerated for the user to be granted access to the remote resource. Atstep 22, the user's secret is used to generate the obscured URL for thatuser (the obscured URL may be generated in the same way as at step 12 ofFIG. 4). At step 24, a key node resource is established at the obscuredURL, including data for obtaining the resource URL of the remoteresource. At step 26, the first URL which the user will use to identifythe resource, and the site secret corresponding to the first URL, areprovided to the user's data processing device. The user's device canthen access the remote resource using the method of FIG. 4 via the keynode resource as shown in FIG. 5.

Access to the remote resource by a particular user can be revoked byremoving the key node resource at the URL generated using the sitesecret for that user. For example, see device D3 of FIG. 5 which has itsaccess revoked by removing the corresponding key node resource.

When the key node resource is removed, the user of the device can nolonger access the remote resource since there is no way for them toobtain the resource URL. Hence, there is no need to move the actualresource when a user's access is revoked. For added security theresource could also be moved, in case a user has managed to obtain andstore the resource URL.

A user may have access to different site secrets for the same remoteresource. For example, a user may have a personal site secret but mayalso have access to a group site secret associated with a group of usersor a generic site secret which is available to everybody. The expansionURL shown in FIG. 2 may be used to obtain additional site secrets. Asshown in FIG. 7, a number of site secrets 28 may be stored at theexpansion URL. The data processing device D0 may obtain the site secretsfrom the expansion URL, in addition to the initial site secret held bythe device D0. The device D0 then attempts to access one or moreobscured URLs generated using the different site secrets until an accessis successful. For example, the device D0 may try each obscured URL inturn. In the example of FIG. 7 the device first tries the obscured URLgenerated using the personal secret, then tries obscured URLs for twodifferent group secrets, before finding that the obscured URL generatedusing the generic secret successfully locates a real location KN on thenetwork from which the resource URL can be obtained. The device D0 mayalso try multiple accesses in parallel in case one fails, to speed upthe access. If multiple accesses are successful, there may be apredetermined priority order which determines which access to follow upon. This approach is useful because it means that group secrets do notneed to be held permanently by end devices D0, and instead can becontrolled more carefully from the expansion URL.

FIG. 8 shows an example of a revoking access to a remote resource for aselected user within a group previously allowed to access the resource.As shown in the left hand part of FIG. 8, the expansion URL includes agroup secret G0 for a group of users of devices D0-D2. The group secretG0 is used to generate an obscured URL G0 of a key node KG0 from whichthe resource URL of the shared resource can be obtained. This allows thedevices D0-D2 to interact with the resource.

However, the user of device D2 then leaves the group and so D2's accessto the remote resource is to be revoked. For example, the resource G maybe a device for controlling a door lock and the user of device D2 mayhave left the organization who owns the door, and needs to be preventedfrom entering. To achieve this, a new site secret G1 is generated at theexpansion URL for a new group G1 of users D0, D1 which excludes therevoked user D2. Hence, when the devices D0, D1 access the expansion URLthey obtain both secrets G0, G1 while device D2 only obtains secret G0.A new key node KG1 is created at the obscured URL corresponding to thenew site secret G1. The key node KG1 again has the resource URLidentifying the resource. The original key node for this group KG0 isthen removed so that any access to the URL obtained using secret key G0will fail. Hence, when devices D0 or D1 access the first URL, the secretG1 successfully maps to the obscured URL of key node KG1 and so they canstill access the door to unlock it. However, device D2 only has secretG0 which no longer maps to a real location, and so cannot locate theresource anymore. Hence, this mechanism using key nodes and theexpansion URLs provides an efficient way for controlling access toresources without having to republish the resource itself.

As shown in FIG. 9, it is possible to provide different site secretscorresponding to different resources within a same site or samecollection of resources. For example, users may generally be allowed toaccess the style sheets (CSS files) of a website, but individual accessrights may be controlled for the data of the website. The scopeparameter shown in FIG. 2 may be used to select the parts to which thesecret applies. Hence, a first generic secret X can be provided withscope “/styles” for accessing the style sheets for the website.Individual secrets may then be provided for scope “/data” which alloweach device D0-D2 to individually access different subsets of the data.The scope “/styles” for secret X means that this secret cannot be usedto gain access to the “/data” portion of the website.

As mentioned above, the first URL (intuitive URL) may not correspond toany real location within the network to prevent cloud operators gainingaccess to sensitive information. However, legacy sites and devices mayalready be published on the cloud using such an intelligible URL. Inthis case, the legacy site may be transitioned to a more secure siteusing the present technique as shown in FIGS. 10A to 10D. In FIG. 10A,the legacy site is shown with intelligible file paths and file names. InFIG. 10B, a new site is created in which the data from the legacy siteis replicated at non-intelligible resource URLs (indicated by thequestion marks in FIG. 10B). Also, key node resources K are establishedfor users of the website. The key node resources K have obscured URLsgenerated using the site secret for the user or group or user, andcontain data identifying the corresponding resource URL. For a time, thelegacy site and the new site can run in parallel, so at this time thefirst URL for the new site may still map to a real location on thenetwork corresponding to the legacy site. Once enough users have accessto the new site, the legacy site may be deactivated, leaving only theprivate site whose URLs are unintelligible. As shown in FIG. 10D, theserver's view of the website is then completely anonymous since all URLsused for the site are obscured URLs.

As shown in FIG. 11, the data processing device 2 may correspond tovarious devices such as a laptop or other computer D2, mobile phone D3,server D5, temperature sensor D4, health monitor D1 or door control unitD0 for example. Similarly, the remote resources may correspond tosimilar devices D0-D5. As indicated in FIG. 11, some devices D0, D2, D4,D5 may function both as a remote resource 4 to be accessed by otherdevices and as a data processing device 2 for accessing remoteresources. The devices communicate with each other via the Internet(cloud), using various intermediate network nodes such as networkrouters and ISP (internet service provider) devices and networks. Itwill be appreciated that the network diagram in FIG. 11 is schematic andthat there are many different ways of implementing the network.

Since the URLs of remote resources are anonymous using the presenttechnique, and also the transactions and data exchanged by devices maybe encrypted, then there is no danger of leakage of information to thenetwork. This allows intermediate network nodes, such as a router or ISPnetwork device, to have a cache 30 for caching data or transactionsexchanged with a remote location, without any security or privacy risk.For example, when the health monitor device D1 uploads data to theserver D5 then the posted data can be cached as it passes up thenetwork.

By caching the data at different points within the network, this meansthat if the data needs to be accessed by the device D1 then it can beobtained more quickly from a cache 30 in the home router or the ISPnetwork than if it had to go all the way back to the server D5.Similarly, transactions for triggering devices to perform actions may bestored in a queue 40 within the device D5 initiating the transaction, orwithin another network node. For example, if the user of the laptop D2or phone D3 wishes to open the door associated with device D0 (e.g. tolet a friend or neighbor into their house), then the laptop of phone mayissue a transaction to the door device D0 to open the door. However, thedoor device D0 may not be active at this time, e.g. it may be in a powersaving mode and may only wake up periodically to check the queue 40 fortransactions. When the door device next wakes up, it can poll the queue40 and then open the door. The transactions in the queue 40 may beencrypted. By providing a queue 40 in the end device D5 or intermediatenode of the network, the phone or laptop D2, D3 and the door D0 cancommunicate asynchronously so that it is not necessary for both devicesto be active simultaneously in order for them to communicate.

In order to read or write data from a remote resource or perform anaction using the remote resource, it may be necessary for the deviceissuing the transaction to prove its identity and verify that it isallowed to take this action. Hence, as shown in FIG. 12 when the device2 issues a transaction for a device 4 associated with the remoteresource, the device 2 may specify an authentication URL identifying alocation 50 from which the device 4 associated with the remote resourcecan obtain authentication data for the device 2. For example, theauthentication information may include certificates and public keyswhich verify the device's identity. In some cases there may be a chainof certificates where different parties authenticate differentsub-parties to provide further authentication and so the identity of theend device 2 may need to be verified using several certificates. It isalso possible for the device 2 to provide the authentication informationdirectly to the resource 4 as part of the transaction. However,especially if the device 2 is a relatively small device such as asensor, then it may be more convenient for the authenticationinformation to be obtained from the authentication URL 50.

When obtaining the authentication information from the authenticationURL, the remote device 4 need not obtain the authentication informationusing the same communication channel or route that was used to send thetransaction from the device 2. For example, when opening a door bysubmitting a transaction over Bluetooth, the door may use a differentroute (e.g. using a house router or wired connection) to fetchcredentials from the authentication URL.

The authentication URL provided with the transaction may include afingerprint portion 60 which is generated using the authenticationinformation for the device 2. For example, the fingerprint portion 60may be a hash of part of the certificate or public key of theauthentication information. This means that to be able to direct theresource device 4 to access the authentication information from theauthentication URL, the device 2 sending the transaction must itselfhave access to the authentication information. This improves thesecurity of the system by reducing the chance that an unauthorizeddevice could somehow direct the resource device 4 to a validauthentication URL with valid authentication information.

The authentication information may be cached at various locations withinthe network to make it quicker to access the authentication informationfrom a local network node. The authentication information may definewhich particular actions can validly be carried out by the remoteresource when instructed by the device 2. The authentication informationmay also specify validity information indicating a period of validityfor the authentication information (e.g. an expiry date/time, a periodwith a start data/time and end date/time, or a non-continuous period).It can be useful for the authentication information to separately definea period within which the authentication information is valid and aperiod within which the authentication can cached by network nodes. Evenif the authentication information is valid for a relatively long period,the cacheability period may be set to a shorter period. For example, aparticular certificate may be valid for six months so that theauthenticator does not need to update the certificates very often.However, by only caching the certificate for a shorter period (e.g. oneday), access to a given remote resource can be revoked more quicklysince cached copies of the authentication information will be discardedat the end of the day and then the certificate would need to be obtainedagain from its original source in order to continue access, allowingaccess to be controlled more easily.

A summary of some features of the present technique, known as “PiPS”(Privacy in Plain Sight), is provided below.

Goals:

A PiPS-enabled web service may:

-   -   Maintain privacy—users control who accesses their data        (including cloud services)    -   Provide personalized information for different people/groups    -   Minimize workload for low-power devices, moving it to        cloud-services instead    -   Enable cacheing, lowering network requirements and improving        performance    -   Support asynchronous operations, to work with        limited-connectivity devices    -   Support time-series data

Principles:

-   -   Publish from the device, serve from the cloud        -   A device might make some resources/data available, but might            only wake up and connect to the wider web occasionally.        -   In this case, having a cloud service (including            “mini-clouds” such as local routers) host or mirror the data            means high availability, while still allowing devices to be            lower-power.    -   Safely use untrusted data-stores/mirrors/caches        -   With PiPS, you have control over who understands your data,            regardless of where it is stored. Data is stored encrypted,            at obfuscated URLs—only devices and people who have            permission to read the data will be able to understand it.        -   This means that you don't have to trust every data-store,            mirror or cacheing proxy that sees your data. You can allow            anybody to proxy/cache your data (for high availability)            without privacy concerns.    -   Asynchronous communications across untrusted intermediaries        -   With PiPS, interaction with devices is asynchronous. Actions            intended for the device can be queued up in proxies or cloud            services, waiting for when the device is next online.        -   These actions are also stored encrypted, meaning that            device-to-device communication can be private (even if both            devices are only occasionally online), without exposing the            communications to a central service.

Broad-Strokes Design:

-   -   Surrogate URLs and encrypted content        -   Resources have nice friendly URLs (“conceptual URLs”), so            published content and interactions can be organized in a            nice way.        -   However, the URL that is actually requested from the server            is different: an opaque URL that does not reveal the nature            of the information to the server, proxies, caches, etc.        -   All content is stored in encrypted form, so only the            end-devices can understand it.    -   Perform actions using Queues        -   A PiPS Queue is a list of pending actions/notifications. To            perform an action, you POST it to a Queue. The target device            then pulls actions off the Queue to execute them.        -   Queues can be monitored in different ways—so a            highly-connected device can maintain an open connection to            the cloud to get instant notifications, a less-connected            device could poll once a minute, etc.        -   If an action requires a response, then a “response Queue”            can be included, to which the results of the action can be            sent.    -   Time-series data in Queues        -   A Queue can be “turned around”—instead of many people adding            actions to a queue and one device reading it, you can have            one device publishing events to a queue, and many people            reading it.        -   The methods for monitoring queues remain the same (polling,            notifications, WebSockets, etc.). Since the content is            encrypted, Queues can be proxied/cached—so the original            Queue might only support polling, but proxies can layer Web            Sockets on top of that.        -   This means that a device can publish a set of events (using            a simple POST), and delegate the complex queries (e.g. “all            events since . . . ”) to cloud services, proxies, et cetera.    -   Site secrets and personalized content        -   A “site secret” is the information required to translate a            resource's “conceptual URL” into a surrogate URL, and to            decrypt the content.        -   Different people are provided with different secrets—so they            will end up at different surrogate URLs, so they can be            provided with different versions of the content.

General Principles:

-   -   Not trusting cloud providers        -   Don't leak data, structure, anything    -   Static resources (mirrorable/proxy/offline cache)        -   Devices can publish as many as they like        -   Supply custom content for some people    -   Actions submitted to queues        -   Authentication by certificate chain    -   Fits into existing web

Not Trusting Cloud Providers:

There's an increasing distrust of giving large companies data aboutyourself. Our current protection (mutable, rarely-read terms of service)is basically just trusting a company to behave well. However, cloudservices are useful, especially for devices with lower networkavailability, so we still want them.

Data Control:

How about we never give the cloud provider usable data in the firstplace? Encrypt everything, Uninformative URLs. This also gives us nofear of mirrors/proxies.

Comparison:

-   -   The data itself        -   Bad: plaintext data readable by anyone (inc. cloud)        -   Good: opaque blobs    -   Requests made to server        -   Bad: https://cloud.iot/my-house/bedroom/marital-aids/ . . .        -   Good: https://cloud.iot/c2V4bWFzdGVyLTMwMDA

Devices publish resources: We give all devices the ability to publishresources. These resources could be served from the device itself whenavailable (e.g. coap://<ipv6-address>/a210Y2h1bi1rZXR0bGU), with usersrelying on various caches when it is not. Alternatively, these resourcescould be given a cloud address (e.g.https://iot.arm.com/a210Y2h1bi1rZXR0bGU) for high availability. Requiresagreement with cloud, but easier for device (generated only once, alwaysserved from cloud). Note that a resource has only one URL—the above twoURLs are not equivalent.

Verifiable Owner:

The URL for each resource can contain a part computed from thefingerprint of the certificate to guarantee integrity even when servedfrom untrusted sources.

Surrogate Resources:

Customizing content and enabling privacy.

Say the client has a secret comprising three parts:

Scope: http://me.example.com/iot/geraint

Template: http://me.example.com/iot/{hmac}

Secret: site-secret

When accessing a resource in this scope, the client actually accesses adifferent URL to the one it is given.

-   -   1. HMAC(original-url, secret)    -   2. base64url(hmac)    -   3. Use inside template

Example: With the above secret, when accessing the resourcehttp://me.example.com/iot/geraint/temp:

-   -   1. HMAC (http://me.example.com/iot/geraint/temp, site-secret)    -   2. base64url: d2hhdGV2ZXI    -   3. Fill template: http://me.example.com/iot/d2hhdGV2ZXI

The server only sees http://me.example.com/iot/d2hhdGV2ZXI—nothing thathints to the conceptual structure of the site.

The original URL MAY still resolve to a plain-text resource, to givesomething useful/informative to clients not using this scheme. But thisis not essential.

Key Nodes:

Duplicating content is generally inefficient. The actual node at thecalculated URL could be a “key node”, meaning that it contains the URLof the actual content along with a decryption key—all encrypted usingthe site secret used to calculate that URL.

Privacy-Enabled Mode:

Private versions of resources and plain resources do not mix. If you areviewing a private version of a resource (hopefully with some visualindication), then your clients should not follow links or fetch relatedresources with their original URL. If the surrogate resource 404s, thenthe request should fail. This means that the “original resource” forhidden resources doesn't need to actually exist, and shouldn't berequested, keeping the actual structure of the resources hidden from theserver.

Multiple Secrets:

Even using key nodes, it is a burden to calculate a surrogate node forevery possible user, for every resource in your site. However, a usercan be in possession of multiple site secrets, such as a personal sitesecret and group site secret. This way, content that is available forevery member of a group can use a single surrogate node, while othercontent can be encoded on a person-by-person basis.

Obtaining More Secrets:

In reality, you don't want to hand the group site secret out. Otherwise,when you change it (e.g. to exclude a group member) you need tore-distribute the new one to everyone. Instead, you only hand outpersonal site secrets. To obtain more site secrets, clients can fetchthe “scope” URL (using their personal site secret). The resultingdocument will be a list of site secrets to use for subsequent browsing.

Alternative: have separate “secret expansion” URL, instead of usingscope

Website Sections:

Not only can you provide additional site secrets for group content, youcan provide secrets for only parts of a site. For instance, if all yourJavaScript and CSS lives in /style/, then you can specify a site secretspecifically for that section. That way, clients do not waste effortfirst trying to access those resources using personal and group sitesecrets.

Action Queues:

Instead of taking actions directly, resources can specify a queue towhich actions can be posted. There can be more than one of these queues,listed in preferential order—e.g. first the direct one (usable byBlueTooth locally), next hosted by local WiFi router, then on cloudservice. Resources describe the actions that can be taken using theirqueues, optionally with an encryption key so that such the actualactions remain opaque to the cloud service.

Authentication by Certificate Chain:

When an action is submitted, the URL of a resource (certificate) can besupplied that explains why the agent believes it has permission toperform that action. Each certificate specifies a public key that can beused for a particular purpose, and comprises:

-   -   Validity conditions (time/location/whatever)    -   Constraints (e.g. “Can turn on”)    -   Possibly reference to parent certificate

Understanding Certificates:

The actual vocabulary of what actions are/aren't allowed doesn't need tobe universal—just understood by the end device. There may be somestandard ones, though, e.g. Ownership—can do anything, Full use—can doanything except change owners

Example:

For the private key: <ABCDE>

Until: 2014-06-18T18:32

Allowed actions:

-   -   view recent history    -   issue new certificates like:        -   Allowed actions:            -   view recent history

This certificate could be used to let <ABCDE> view recent history.

It could also be referenced by a new certificate (signed by <ABCDE>)authorizing another entity to view the recent history.

Offline Case (e.g. Unlocking a Door in the Desert)

If wider network access is not available, then the agent wishing toperform the action can make itself available as a mini-cloud/-proxy,therefore making the certificate chain available as well.

Although illustrative embodiments have been described in detail hereinwith reference to the accompanying drawings, it is to be understood thatvarious changes and modifications can be effected therein by one skilledin the art without departing from the scope of the appended claims.

1. (canceled)
 2. A computer-implemented method for providing one or moredevices with access to a remote resource by one or more key noderesources, the method comprising: receiving, at a first key noderesource from a first device, a resource access request to access theremote resource located at a resource uniform resource locator (URL),wherein the first key node resource is at a location identified by afirst obscured uniform resource locator (URL) generated at the firstdevice using first secret data and a first URL, wherein the first URLand the first obscured URL are different; determining the remoteresource to which the first device is authorised to access; providingdata to the first device to enable the first device to access the remoteresource at the resource URL.
 3. The method of claim 2, comprising:receiving, at a second key node resource from a second device, aresource access request to access the remote resource, wherein thesecond key node resource is at a location identified by a secondobscured URL generated at the second device using second secret data anda second URL, wherein the second URL and the second obscured URL aredifferent; determining the remote resource to which the second device isauthorised to access; providing data to the second device to enable thesecond device to access the remote resource at the resource URL.
 4. Themethod of claim 3, wherein the data provided to the first and seconddevices enable the respective devices to access overlapping parts orsubsets of the same remote resource.
 5. The method of claim 3, whereinthe data provided to the first and second devices enable the respectivedevices to access different remote resources.
 6. The method of claim 2,wherein the data for enabling the first device or second device toaccess the remote resource comprises one or more of: the resource URL,data for calculating the resource URL, data identifying a location fromwhich the resource URL is obtainable.
 7. The method of claim 6, whereinthe resource URL is a non-intelligible URL.
 8. The method of claim 3,wherein the first URL is different to the second URL.
 9. The method ofclaim 2, wherein the first key node resource comprises data fordecrypting content at the remote resource.
 10. The method of claim 3,wherein the second key node resource comprises data for decryptingcontent at the remote resource.
 11. The method of claim 2, furthercomprising: providing, to the first device, the first URL; providing, tothe first device, the first secret data to enable the first device togenerate the first obscured URL using the first secret data and thefirst URL.
 12. A computer-implemented method for accessing a remoteresource by a device, the method comprising: obtaining, at the device, afirst uniform resource locator (URL); obtaining, at the device, secretdata; generating, at the device, an obscured URL using the first URL andthe secret data, wherein the obscured URL identifies a location of a keynode resource and wherein the first URL and the first obscured URL aredifferent; accessing, with the device, the key node resource using theobscured URL; receiving, at the device, data from the key node resourceto enable the device to access the remote resource at a resource URL.13. The method of claim 12 comprising: accessing, with the device, theremote resource using the data from the key node resource.
 14. Themethod of claim 12, wherein the data to enable the device to access theremote resource comprises one or more of: the remote resource URL, datafor calculating the remote resource URL, data identifying a remotelocation from which the resource URL is obtainable.
 15. The method ofclaim 12, wherein the device is part of a group of users.
 16. The methodof claim 15, comprising: revoking access to the remote resource for atleast one selected user of the group of users.
 17. The method of claim16, wherein revoking access to the remote resource for at least oneselected user comprises: removing the key node resource for the at leastone selected user.
 18. The method of claim 16, wherein revoking accessto the remote resource for at least one selected user comprises:generating new group secret data for the first URL for the group ofusers, and providing the new group secret data to users of the groupother than the at least one selected user.
 19. The method of claim 16,further comprising: establishing a new key node resource identified by anew obscured URL generated using the new group secret data and the firstURL or a new URL, the new key node resource comprising data to enablethe users of the group to access the remote resource.
 20. The method ofclaim 19, comprising: making inaccessible the new key node resource tothe at least one selected user.
 21. A key node resource at a locationidentified by a first obscured uniform resource locator (URL) operableto: receive, from a device, a resource access request to access a remoteresource located at a resource URL, wherein the key node resource is ata location identified by an obscured URL generated at the device usingfirst secret data and a first URL, wherein the first URL and the firstobscured URL are different; determine the remote resource to which thedevice is authorised to access; and provide data to the device to enablethe device to access the remote resource.